From: joeyli <jlee@suse.com>
To: Takashi Iwai <tiwai@suse.de>, Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co
Date: Thu, 16 Dec 2021 00:03:45 +0800 [thread overview]
Message-ID: <20211215160345.GF3786@linux-l9pv.suse> (raw)
In-Reply-To: <s5hpmpz9o08.wl-tiwai@suse.de>
Hi Takashi, Mimi,
On Tue, Dec 14, 2021 at 04:58:47PM +0100, Takashi Iwai wrote:
> On Tue, 14 Dec 2021 16:31:21 +0100,
> Mimi Zohar wrote:
> >
> > Hi Takashi,
> >
> > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:
> > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
> > > defined only when CONFIG_IMA is set, and this makes the code calling
> > > those functions without CONFIG_IMA failing. Although there is no such
> > > in-tree users, but the out-of-tree users already hit it.
> > >
> > > Move the declaration and the dummy definition of those functions
> > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols.
> > >
> > > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> >
> > Before lockdown was upstreamed, we made sure that IMA and lockdown
> > could co-exist. This patch makes the stub functions available even
> > when IMA is not configured. Do the remaining downstream patches
> > require IMA to be disabled or can IMA co-exist?
>
> I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's
> used in a part of MODSIGN stuff in SUSE kernels, and it's calling
> unconditionally this function for checking whether the system is with
> the Secure Boot or not.
>
Actually in downstream code, I used arch_ima_get_secureboot() in
load_uefi_certs() to prevent the mok be loaded when secure boot is
disabled. Because the security of MOK relies on secure boot.
The downstream code likes this:
/* the MOK and MOKx can not be trusted when secure boot is disabled */
- if (!efi_enabled(EFI_SECURE_BOOT))
+ if (!arch_ima_get_secureboot())
return 0;
The old EFI_SECURE_BOOT bit can only be available on x86_64, so I switch
the code to to arch_ima_get_secureboot() for cross-architectures and sync
with upstream api.
The load_uefi.c depends on CONFIG_INTEGRITY but not CONFIG_IMA. So
load_uefi.c still be built when CONFIG_INTEGRITY=y and CONFIG_IMA=n.
Then "implicit declaration of function 'arch_ima_get_secureboot'" is
happened.
Thanks a lot!
Joey Lee
next prev parent reply other threads:[~2021-12-15 16:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-13 16:11 [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co Takashi Iwai
2021-12-14 15:31 ` Mimi Zohar
2021-12-14 15:58 ` Takashi Iwai
2021-12-15 16:03 ` joeyli [this message]
2021-12-15 18:16 ` Mimi Zohar
2021-12-16 4:32 ` joeyli
2021-12-16 13:22 ` Mimi Zohar
2021-12-18 2:27 ` joeyli
2021-12-22 17:10 ` Mimi Zohar
2021-12-22 19:15 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211215160345.GF3786@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox